Privacy policy

This Privacy Policy describes how Netmaa Ltd processes the personal data of its customers.

Netmaa Oy ("Company") protects the privacy of data subjects and complies with the European Union's General Data Protection Regulation (2016/679) ("GDPR") and other applicable data protection legislation in all processing of personal data.

This Privacy Policy applies to all services provided by the Company at its offices, on its website and on social media services. In addition to the personal data of customers, this Privacy Policy also applies to the processing of personal data of potential customers.

"Personal data" means any information relating to a natural person ("data subject") from which he or she can be directly or indirectly identified, as defined in the GDPR. Information which does not directly or indirectly identify the data subject is not personal data.

1. The controller and the controller's representative

Netmaa Oy
Kalevantie 7 C
33100 Tampere
Business ID: 2058390-1

Esa Ajo
+358 400 484776

2. Purposes and legal basis for processing personal data

Personal data is processed for the following purposes, among others:

  • Commissioning and provision of the Company's services
  • Managing customer relationships
  • Customer service and targeted customer communication on services and monitoring of service usage
  • Marketing and targeting clients and potential clients for non-therapy services
  • Planning and developing the company's business
  • To fulfil statutory obligations
  • For processing job applications

The legal basis for the processing of personal data of data subjects is primarily the consent of the data subject or a contractual relationship between the Company and the data subject based on the subscription to a service provided by the Company. The processing of personal data is also based on legal obligations, such as accounting obligations and any statutory reporting obligations.

Personal data is not used for automated decision-making or profiling.

3. Categories of personal data processed, data content and data sources

The Company only collects personal data from data subjects that is relevant and necessary for the purposes described in this Privacy Policy.

The following information about data subjects is processed:

Name, position, address, telephone number, e-mail address and date of birth/personal identification number of the data subject/representative of the entity.

Account number, billing and payment information and other information that identifies the customer relationship.

Information about the contract between the Company and the data subject or between the Company and the entity representing the data subject, service and order information, customer feedback, and communications, complaints, customer feedback and other business information between the data subject and the Company.

Monitoring of the data subject's online behaviour and the Company's services, for example by means of cookies or similar technical identification data. The information collected may include, for example, the user's IP address and the pages visited.

Information on the data subject's consent to direct marketing by electronic means (e.g. newsletter) or other processing of personal data, as well as information on the withdrawal of the above-mentioned consents and on the data subject's objections.

The provision of personal data is necessary for the performance of a contract between the Company and the data subject and for the performance of obligations under the law, as well as for the provision of the Company's services.

Sources of information:

Personal data is mainly collected from the data subjects themselves, for example, when making an offer, when concluding a customer contract, during the course of customer relationship management, in connection with marketing and customer meetings, through forms on the website or through social media services.

In addition, for non-therapy services, data may also be collected and updated from registers maintained by third parties where permitted by law.

4. Retention of personal data

The Company will retain personal data for as long as necessary to fulfil the purposes set out in this Privacy Policy, unless the law requires us to retain personal data for longer.

The retention period and criteria vary from one category of personal data to another, depending on the purpose for which a particular category of personal data is used.

Personal data is processed for the duration of the customer and contractual relationship and for the necessary period after the termination of the customer and contractual relationship.
For entities, the retention of the personal data of the entity's representative depends on how long the data subject acts as the entity's representative towards the Company.

When the personal data is no longer needed as defined above, the data will be deleted within a reasonable period of time, unless there is a legal obligation to keep the data for a longer period of time.

5. Processors and other recipients of personal data

The Company may use service providers and subcontractors to process personal data in accordance with this Privacy Policy. For example, service providers providing IT services, financial management services, collection and legal services and other services to the Company may be involved in the processing of personal data.

The Company will draw up an appropriate personal data processing agreement with all parties involved in the processing of personal data.

In addition, personal data may be disclosed to public authorities in order to fulfil legal and contractual obligations.

If the Company is involved in a merger, acquisition or other business arrangement, it may need to disclose data subjects' personal data to third parties.

6. Transfer of personal data outside the EU or EEA

As a rule, personal data is not transferred by the controller outside the EU or EEA. However, in certain situations, data may be transferred outside the EU or EEA to the extent permitted by law. Transfers outside the EU or EEA may take place in connection with the use of various cloud services, such as Microsoft's OneDrive service and HubSpot's CRM service.

7. Principles of protection and security of processing of personal data

The Company processes personal data in a manner that aims to ensure appropriate security and data protection of personal data. The Company uses appropriate technical and organisational safeguards to ensure this, including the use of firewalls, encryption technologies, secure equipment rooms, appropriate access control and access management, and training of staff and any subcontractors.

Contracts and other documents kept in original form are kept in locked premises to which access is restricted to authorised persons only. Paper copies are destroyed in a secure manner. All parties processing personal data are bound by a duty of confidentiality in relation to the processing of personal data of data subjects.

In accordance with this Privacy Policy, the Company may outsource the processing of personal data to service providers, in which case the Company will ensure through adequate contractual obligations that personal data is processed lawfully. The service providers currently used are Dropbox cloud service, Microsoft's OneDrive cloud service and HubSpot's CRM service. Dropbox's privacy policy can be found at https://www.dropbox.com/privacy, Microsoft's privacy policy at: https://privacy.microsoft.com/fi-fi/privacy and HubSpot's privacy policy at: https://www.hubspot.com/data-privacy/gdpr.

8. Rights of the data subject

Data subjects have rights guaranteed by data protection legislation.

Right of access and right to inspect data

The data subject has the right to obtain confirmation as to whether personal data concerning him or her are being processed.
The data subject has the right to check and see the data concerning him or her and, on request, to receive the data in written or electronic form.

Right to rectification and erasure

The data subject has the right to request the correction of incorrect or inaccurate information. In addition, the data subject has the right to request the erasure of his or her data. The controller shall also delete, correct and complete, on its own initiative, any inaccurate, unnecessary, incomplete or outdated personal data which it has discovered in relation to the purposes of the processing.

Right to data portability, restriction of processing and objection to processing

Data subjects have the right to request the transfer of their data to another controller. In addition, the data subject has the right to request the restriction of the processing of personal data under the conditions set out in the data protection legislation. In addition, where the personal data suspected of being inaccurate cannot be rectified or erased or where there is uncertainty about the erasure request, the Company will restrict access to the data. The data subject has the right to object to the use of the data for certain types of processing. Data subjects have the right to object to the disclosure and processing of their data for direct marketing purposes.

Right to withdraw consent

Where the processing of personal data is based on the explicit consent of the user, the data subject has the right to withdraw his or her consent to the processing of data concerning him or her. Such withdrawal shall have no effect on the processing previously carried out.

Enforcement of rights

Requests concerning data subjects' rights are made in writing to the contact details above. The request must be accompanied by sufficient identifying information. The request will be responded to within a reasonable time and, where possible, within one month of the request and verification of identity at the latest. The Company may request additional information as necessary to comply with the above requests. If the data subject's request cannot be granted, the refusal will be communicated to the data subject in writing.

9. Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a data protection authority if he or she considers that his or her personal data have been processed in breach of the applicable legislation.

10. Cookies and other technical monitoring

The company tracks traffic on its websites using cookies, with the help of Google Analytics. The user's browser automatically sends certain information to Google, such as the address of the webpage opened or the search term used to direct the user from Google's search engine to the Company's website.

The Company does not receive information about the user's IP address through Google Analytics, but data in an anonymous form, and the Company is therefore unable to directly identify the user. Google Analytics generates anonymous reports from the data obtained through cookies, which show, for example, the number of visitors, the website from which the visitor arrives at the Company's website, the duration of the website visit, whether the user has visited the website before and which pages of the website the user visits.

By monitoring website traffic, the Company improves websites to provide a better user experience. The user can prevent Google Analytics from collecting data. For more information on how to block, please visit Google's website.

Other cookies are also used on the company's websites. Other cookies are mainly used by the Company to collect information for marketing purposes, such as the functionality of newsletters, opening links and generating traffic to the Company's websites. Through these cookies, the Company collects, among other things, the IP address of the user, the website from which the user has arrived, how long the user has been on the website, which pages the user has visited and any search terms used by the user. The Company uses this information to improve the functionality of the websites and to improve the user experience and marketing.

The Company also uses other third party services on the websites and thus their cookies to share content from the Company's websites on social media. These service providers are Facebook and LinkedIn.

The user has the possibility to block, manage and delete cookies through the browser settings.

11. Changes to the Privacy Policy

The Company is constantly developing its services and may need to amend and update this Privacy Policy as necessary. Changes may also be based on changes in data protection legislation.

This Privacy Policy is published on 17.3.2022